Skip to content

Commit

Permalink
updating all detections with quotes
Browse files Browse the repository at this point in the history
  • Loading branch information
@patel-bhavin
patel-bhavin committed Oct 24, 2024
1 parent 7bc11be commit 8b03f3d
Show file tree
Hide file tree
Showing 1,309 changed files with 10,472 additions and 10,472 deletions.
16 changes: 8 additions & 8 deletions detections/application/crushftp_server_side_template_injection.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,14 @@ references:
- https://github.com/airbus-cert/CVE-2024-4040
- https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/
drilldown_searches:
- name: View the detection results for - $dest$
search: '%original_detection_search% | search dest = $dest$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - $dest$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
tags:
analytic_story:
- CrushFTP Vulnerabilities
Expand Down
16 changes: 8 additions & 8 deletions detections/application/detect_password_spray_attempts.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,14 @@ known_false_positives: Unknown
references:
- https://attack.mitre.org/techniques/T1110/003/
drilldown_searches:
- name: View the detection results for - $sourcetype$
search: '%original_detection_search% | search sourcetype = $sourcetype$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - $sourcetype$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($sourcetype$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View the detection results for - "$sourcetype$"
search: '%original_detection_search% | search sourcetype = "$sourcetype$"'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
- name: View risk events for the last 7 days for - "$sourcetype$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$sourcetype$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
tags:
analytic_story:
- Compromised User Account
Expand Down
16 changes: 8 additions & 8 deletions detections/application/ivanti_vtm_new_account_creation.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,14 @@ references:
- https://www.ivanti.com/security/security-advisories/ivanti-virtual-traffic-manager-vtm-cve-2024-7593
- https://nvd.nist.gov/vuln/detail/CVE-2024-7593
drilldown_searches:
- name: View the detection results for - $MODUSER$
search: '%original_detection_search% | search MODUSER = $MODUSER$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - $MODUSER$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($MODUSER$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View the detection results for - "$MODUSER$"
search: '%original_detection_search% | search MODUSER = "$MODUSER$"'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
- name: View risk events for the last 7 days for - "$MODUSER$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$MODUSER$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
tags:
analytic_story:
- Ivanti Virtual Traffic Manager CVE-2024-7593
Expand Down
16 changes: 8 additions & 8 deletions detections/application/okta_authentication_failed_during_mfa_challenge.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,14 @@ references:
- https://sec.okta.com/everythingisyes
- https://splunkbase.splunk.com/app/6553
drilldown_searches:
- name: View the detection results for - $user$
search: '%original_detection_search% | search user = $user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - $user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
tags:
analytic_story:
- Okta Account Takeover
Expand Down
16 changes: 8 additions & 8 deletions detections/application/okta_idp_lifecycle_modifications.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,14 @@ references:
- https://www.obsidiansecurity.com/blog/behind-the-breach-cross-tenant-impersonation-in-okta/
- https://splunkbase.splunk.com/app/6553
drilldown_searches:
- name: View the detection results for - $user$
search: '%original_detection_search% | search user = $user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - $user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
tags:
analytic_story:
- Suspicious Okta Activity
Expand Down
16 changes: 8 additions & 8 deletions detections/application/okta_multi_factor_authentication_disabled.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,14 @@ references:
- https://attack.mitre.org/techniques/T1556/
- https://splunkbase.splunk.com/app/6553
drilldown_searches:
- name: View the detection results for - $user$
search: '%original_detection_search% | search user = $user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - $user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
tags:
analytic_story:
- Okta Account Takeover
Expand Down
16 changes: 8 additions & 8 deletions detections/application/okta_multiple_accounts_locked_out.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,14 @@ references:
- https://attack.mitre.org/techniques/T1110/
- https://splunkbase.splunk.com/app/6553
drilldown_searches:
- name: View the detection results for - $user$
search: '%original_detection_search% | search user = $user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - $user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
tags:
analytic_story:
- Okta Account Takeover
Expand Down
16 changes: 8 additions & 8 deletions detections/application/okta_multiple_failed_mfa_requests_for_user.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,14 @@ known_false_positives: Multiple Failed MFA requests may also be a sign of authen
references:
- https://attack.mitre.org/techniques/T1621/
drilldown_searches:
- name: View the detection results for - $src_user$
search: '%original_detection_search% | search src_user = $src_user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - $src_user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View the detection results for - "$src_user$"
search: '%original_detection_search% | search src_user = "$src_user$"'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
- name: View risk events for the last 7 days for - "$src_user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
tags:
analytic_story:
- Okta Account Takeover
Expand Down
16 changes: 8 additions & 8 deletions detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,14 @@ references:
- https://attack.mitre.org/techniques/T1110/003/
- https://splunkbase.splunk.com/app/6553
drilldown_searches:
- name: View the detection results for - $user$
search: '%original_detection_search% | search user = $user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - $user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
tags:
analytic_story:
- Okta Account Takeover
Expand Down
16 changes: 8 additions & 8 deletions detections/application/okta_new_api_token_created.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,14 @@ references:
- https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected
- https://splunkbase.splunk.com/app/6553
drilldown_searches:
- name: View the detection results for - $user$
search: '%original_detection_search% | search user = $user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - $user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: '"$info_min_time$"'
latest_offset: '"$info_max_time$"'
tags:
analytic_story:
- Okta Account Takeover
Expand Down
Loading

0 comments on commit 8b03f3d

Please sign in to comment.